UNPKG

electron-root-ssl-pinning

Version:

Pinning root CA certificates into your Electron app

github.com/myxious/electron-root-ssl-pinning

myxious/electron-root-ssl-pinning

85 lines (84 loc) • 3.38 kB

JavaScript

"use strict"; var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k]; result["default"] = mod; return result; }; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); const asn1js = __importStar(require("asn1js")); const Certificate_1 = __importDefault(require("pkijs/build/Certificate")); exports.commonNameOid = "2.5.4.3"; exports.subjectAlternativeNameOid = "2.5.29.17"; const organizationNameOid = "2.5.4.10"; const organizationalUnitNameOid = "2.5.4.11"; const sha1EncryptionOid = "1.2.840.113549.1.1.5"; /** * Create PKI.JS Certificate instance by pem string */ function createPKICertificate(pem) { const certArrayBuffer = convertPemToArrayBuffer(removePemArmoring(pem)); const asn1data = asn1js.fromBER(certArrayBuffer); return new Certificate_1.default({ schema: asn1data.result }); } exports.createPKICertificate = createPKICertificate; /** * Find certificate issuer's common name in the pki.js Certificate instance */ function findDistinguishedName(pkiCert, who) { const separator = " * "; const result = [exports.commonNameOid, organizationNameOid, organizationalUnitNameOid].reduce((distinguishedName, oid) => { const foundAttribute = pkiCert[who].typesAndValues.find(({ type }) => String(type) === oid); if (foundAttribute !== undefined) { return distinguishedName + separator + foundAttribute.value.valueBlock.value; } else { return distinguishedName; } }, ""); return (result + separator).trim(); } exports.findDistinguishedName = findDistinguishedName; /** * Checks if given certificate is root or not */ function isRootCertificate(cert) { const issuerDN = findDistinguishedName(cert, "issuer"); const subjectDN = findDistinguishedName(cert, "subject"); return issuerDN === subjectDN; } exports.isRootCertificate = isRootCertificate; /** * Removes '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' of the PEM certificate string */ function removePemArmoring(pemString) { const result = pemString.replace(/((\n|\r)?-----BEGIN CERTIFICATE-----(\n|\r)?|(\n|\r)?-----END CERTIFICATE-----(\n|\r)?)/g, ""); return result.trim(); } exports.removePemArmoring = removePemArmoring; /** * Converts PEM certificate string to ArrayBuffer which 'asn1js.fromBER' method accepts */ function convertPemToArrayBuffer(pemString) { const buffer = Buffer.from(pemString, "base64"); return new Uint8Array(buffer).buffer; } /** * Checks the validity period of given certificate (either it's not expired or is not yet valid) */ function isValidityPeriodCorrect(cert) { const currentDate = new Date(); return currentDate >= cert.notBefore.value && currentDate <= cert.notAfter.value; } exports.isValidityPeriodCorrect = isValidityPeriodCorrect; /** * Checks if given cert uses SHA-1 encryption */ function isWeakEncryption(cert) { return cert.signature.algorithmId === sha1EncryptionOid || cert.signatureAlgorithm.algorithmId === sha1EncryptionOid; } exports.isWeakEncryption = isWeakEncryption;